PwC uses Trusted Platform Module for strong authentication

Auditing and business-services firm PricewaterhouseCoopers (PwC) today said it's built its next-generation authentication system by swapping out employees' older software-based private-key certificates for hardware-based storage of new certificates using the Trusted Platform Module (TPM).

Auditing and business-services firm PricewaterhouseCoopers (PwC) today said it's built its next-generation authentication system by swapping out employees' older software-based private-key certificates for hardware-based storage of new certificates using the Trusted Platform Module (TPM).

What is TPM?

TPM is a small chip embedded in laptops, says Boudewijn Kiljan, solution architect for global information technology, infrastructure portfolio, at PwC, which is migrating 150,000 users to TPM-based storage of private keys. The vast majority of computers on the market ship with TPM inside, and by adding TPM-based software from Wave Systems, it was fairly easy for PwC, which already had a public-key infrastructure (PKI) in place, to switch to hardware-based storage of private keys, the foundation for employee desktop authentication.

The main reason to make this switch was concern that there are attack programs that can steal software-based private keys right off the employee's desktop, says Kiljan, who discussed the company's TPM project at the NSA Trusted Computing Conference and Exposition in Orlando.

In contrast, "private keys protected by TPM are not exportable," Kiljan said. The Microsoft-based software-only method that PwC had been using to store private keys does appear to be far more vulnerable to an attacker intent on stealing private keys, he noted.

TPM, developed as a specification by the Trusted Computing Group (TCG), is an open standard so there's less worry about vendor lock-in than if a more proprietary method were selected, Kiljan pointed out. One thing to note about TPM is that it's a restricted technology in the countries of China, Russia, Kazakhstan and Belarus, he noted.

Related

But while making the conversion to TPM has been fairly easy by adding TPM-supporting software from Wave Systems, there were a number of processes that the IT department at PwC had to follow to make it all work.

These included issuing new certificates for TPM, installing TPM drivers, and a process called enabling and clearing the TPM in the BIOS.

Technically, the TPM specification doesn't yet have a specification that details a way to do this other than manually. But several vendors, including Wave Systems, now have toolkits to do this remotely and build management around it. That's what PwC used to activate TPM via administrator-controlled passwords.

PwC has already migrated about 35,000 employees to TPM, and expects to have all 150,000 over to TPM over the course of about a year or so. TPM works transparent to the user. Kiljan says estimates are that TPM is less than half the cost of going with a smartcard-based PKI device and a third of going with a USB PCI device.

Lan Wong, HP's firmware architect in the personal systems group, also spoke at the NSA Trusted Computing Conference on the topic of TPM and key protection and device authentication.

TPM "uses the system BIOS as the root of trust to enable remote authentication," she said. HP, as a founding member of the Trusted Computing Group, has been shipping TPM in HP desktops and notebooks since 2003. But she acknowledges that customers have either ignored TPM too often or not always found it easy to use. She also alluded to the lack of a standard for remote deployment of TPM activations.

The TPM control interface require specialized knowledge, she said, and TPM activation and enablement isn't as simple as it could probably be. But HP's implementation comes with scripts the IT administrators can use to activate TPM deployments in their enterprise.

She also noted it's possible to use TPM to enhance file and folder encryption by tying encryption to TPM. Wong hinted that HP will soon have announcements related to what is being called the "trusted public cloud," but she declined to be into detail.Trusted Computing Group eyes cloud-security framework.

In acquiring ArcSight, HP signals intent to be the security leader as NSA accreditations lag behind IT security innovations.